feat(deps): bump the npm_and_yarn group across 1 directory with 5 updates

[dependabot]

Bumps the npm_and_yarn group with 5 updates in the / directory:

Package	From	To
ajv	8.17.1	8.18.0
minimatch	9.0.3	9.0.7
simple-git	3.21.0	3.32.3
rollup	4.35.0	4.59.0
tar	7.5.2	7.5.11

Updates ajv from 8.17.1 to 8.18.0

Release notes

Sourced from ajv's releases.

v8.18.0

What's Changed

• feat: allow tree-shaking by adding "sideEffects": false to package.json by @​josdejong in ajv-validator/ajv#2480
• fix: #2482 Infinity and NaN serialise to null by @​jasoniangreen in ajv-validator/ajv#2487
• fix: small grammatical error in managing-schemas.md by @​monteiro-renato in ajv-validator/ajv#2508
• fix: typos in schema-language.md by @​monteiro-renato in ajv-validator/ajv#2507
• fix(pattern): use configured RegExp engine with $data keyword to mitigate ReDoS attacks (CVE-2025-69873) by @​epoberezkin in ajv-validator/ajv#2586

New Contributors

• @​josdejong made their first contribution in ajv-validator/ajv#2480
• @​monteiro-renato made their first contribution in ajv-validator/ajv#2508

Full Changelog: ajv-validator/ajv@v8.17.1...v8.18.0

Commits

• 142ce84 8.18.0
• 720a23f fix(pattern): use configured RegExp engine with $data keyword to mitigate ReD...
• 82735a1 fix: typos in schema-language.md (#2507)
• b17ec32 fix: small grammatical error in managing-schemas.md (#2508)
• 69568d0 fix: #2482 Infinity and NaN serialise to null (#2487)
• f06766f feat: allow tree-shaking by adding ``"sideEffects": falsetopackage.json` ...
• See full diff in compare view

Updates minimatch from 9.0.3 to 9.0.7

Commits

• 2de496f 9.0.7
• 0d4616d limit nested extglob recursion, flatten extglobs
• 7117ef3 9.0.6
• 2418458 update deps, do not checkin dist
• 1d1f531 update deps
• 03b1778 update CI matrix and actions
• f1aaffe update test expectations for coalesced consecutive stars
• 5012655 coalesce consecutive non-globstar * characters
• 3515d1e [meta] add publishConfig.tag legacy-v9
• 0de7f45 9.0.5
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates simple-git from 3.21.0 to 3.32.3

Release notes

Sourced from simple-git's releases.

simple-git@3.32.3

Patch Changes

• f704208: Enhanced protocol.allow checks in allowUnsafeExtProtocol handling.

  Thanks to @​CodeAnt-AI-Security for identifying the issue

simple-git@3.32.2

Patch Changes

• 8d02097: Enhanced clone unsafe switch detection.

simple-git@3.32.1

Patch Changes

• 23b070f: Fix regex for detecting unsafe clone options

  Thanks to @​stevenwdv for reporting this issue.

simple-git@3.32.0

Minor Changes

• 1effd8e: Enhances the unsafe plugin to block additional cases where the -u switch may be disguised along with other single character options.

  Thanks to @​JuHwiSang for identifying this as vulnerability.

Patch Changes

• d5fd4fe: Use task runner for logging use of deprecated (already no-op) functions.

simple-git@3.31.1

Patch Changes

• a44184f: Resolve NPM publish steps

simple-git@3.30.0

Minor Changes

• bc77774: Correctly identify current branch name when using git.status in a cloned empty repo.

  Previously git.status would report the current branch name as No. Thank you to @​MaddyGuthridge for identifying this issue.

simple-git@3.28.0

Minor Changes

• 2adf47d: Allow repeating git options like {'--opt': ['value1', 'value2']}

simple-git@3.27.0

Minor Changes

... (truncated)

Changelog

Sourced from simple-git's changelog.

3.32.3

Patch Changes

• f704208: Enhanced protocol.allow checks in allowUnsafeExtProtocol handling.

  Thanks to @​CodeAnt-AI-Security for identifying the issue

3.32.2

Patch Changes

• 8d02097: Enhanced clone unsafe switch detection.

3.32.1

Patch Changes

• 23b070f: Fix regex for detecting unsafe clone options

  Thanks to @​stevenwdv for reporting this issue.

3.32.0

Minor Changes

• 1effd8e: Enhances the unsafe plugin to block additional cases where the -u switch may be disguised along with other single character options.

  Thanks to @​JuHwiSang for identifying this as vulnerability.

Patch Changes

• d5fd4fe: Use task runner for logging use of deprecated (already no-op) functions.

3.31.1

Patch Changes

• a44184f: Resolve NPM publish steps

3.31.0

Minor Changes

• 22dc93f: Custom binary plugin should support the use of ~ character, used by Windows to shorten long folder names and folder names that have spaces in them (eg: C:\Program Files might become C:\PROGRA~1).

  Thanks to @​skyshineb for reporting this issue.

... (truncated)

Commits

• a1170e5 Version Packages
• f704208 In extension to CVE-2022-25912, switch to case-insensitive check for `protoco...
• 4bb2081 Version Packages
• 7ae7537 Match tokens to word boundary
• c47ad10 Lint
• 8d02097 Enhanced clone switch detection
• f6909a5 Remove test timeout override
• 7740626 Update plugin.unsafe.spec.ts
• b562a6c Version Packages
• 23b070f Fix regex for CLONE_OPTIONS constant (#1122)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for simple-git since your current version.

Updates rollup from 4.35.0 to 4.59.0

Release notes

Sourced from rollup's releases.

v4.59.0

4.59.0

2026-02-22

Features

• Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

• #6275: Validate bundle stays within output dir (@​lukastaegert)

v4.58.0

4.58.0

2026-02-20

Features

• Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

Pull Requests

• #6256: docs: document PreRenderedChunk properties including isDynamicEntry and isImplicitEntry (@​njg7194, @​lukastaegert)
• #6259: docs: Correct typo and improve sentence structure in docs for output.experimentalMinChunkSize (@​millerick, @​lukastaegert)
• #6260: fix(deps): update rust crate swc_compiler_base to v47 (@​renovate[bot], @​lukastaegert)
• #6261: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6262: Avoid unnecessary cloning of the code string (@​lukastaegert)
• #6263: fix(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6265: chore(deps): lock file maintenance (@​renovate[bot])
• #6267: fix(deps): update minor/patch updates (@​renovate[bot])
• #6268: chore(deps): update dependency eslint-plugin-unicorn to v63 (@​renovate[bot], @​lukastaegert)
• #6269: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6270: chore(deps): lock file maintenance (@​renovate[bot])
• #6272: forward NO_SIDE_EFFECTS annotations to function expressions in variable declarations (@​lukastaegert)

v4.57.1

4.57.1

2026-01-30

Bug Fixes

• Fix heap corruption issue in Windows (#6251)
• Ensure exports of a dynamic import are fully included when called from a try...catch (#6254)

Pull Requests

• #6251: fix: Isolate and cache process.report.getReport() calls in a child process for robust environment detection (@​alan-agius4, @​lukastaegert)

... (truncated)

Changelog

Sourced from rollup's changelog.

4.59.0

2026-02-22

Features

• Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

• #6275: Validate bundle stays within output dir (@​lukastaegert)

4.58.0

2026-02-20

Features

• Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

Pull Requests

• #6256: docs: document PreRenderedChunk properties including isDynamicEntry and isImplicitEntry (@​njg7194, @​lukastaegert)
• #6259: docs: Correct typo and improve sentence structure in docs for output.experimentalMinChunkSize (@​millerick, @​lukastaegert)
• #6260: fix(deps): update rust crate swc_compiler_base to v47 (@​renovate[bot], @​lukastaegert)
• #6261: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6262: Avoid unnecessary cloning of the code string (@​lukastaegert)
• #6263: fix(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6265: chore(deps): lock file maintenance (@​renovate[bot])
• #6267: fix(deps): update minor/patch updates (@​renovate[bot])
• #6268: chore(deps): update dependency eslint-plugin-unicorn to v63 (@​renovate[bot], @​lukastaegert)
• #6269: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6270: chore(deps): lock file maintenance (@​renovate[bot])
• #6272: forward NO_SIDE_EFFECTS annotations to function expressions in variable declarations (@​lukastaegert)

4.57.1

2026-01-30

Bug Fixes

• Fix heap corruption issue in Windows (#6251)
• Ensure exports of a dynamic import are fully included when called from a try...catch (#6254)

Pull Requests

• #6251: fix: Isolate and cache process.report.getReport() calls in a child process for robust environment detection (@​alan-agius4, @​lukastaegert)
• #6252: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6253: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6254: Fully include dynamic imports in a try-catch (@​lukastaegert)

... (truncated)

Commits

• ae84695 4.59.0
• b39616e Update audit-resolve
• c60770d Validate bundle stays within output dir (#6275)
• 33f39c1 4.58.0
• b61c408 forward NO_SIDE_EFFECTS annotations to function expressions in variable decla...
• 7f00689 Extend agent instructions
• e7b2b85 chore(deps): lock file maintenance (#6270)
• 2aa5da9 fix(deps): update minor/patch updates (#6267)
• 4319837 chore(deps): update dependency lru-cache to v11 (#6269)
• c3b6b4b chore(deps): update dependency eslint-plugin-unicorn to v63 (#6268)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for rollup since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates tar from 7.5.2 to 7.5.11

Commits

• bf776f6 7.5.11
• f48b5fa prevent escaping symlinks with drive-relative paths
• 97cff15 docs: more security info
• 2b72abc 7.5.10
• 7bc755d parse root off paths before sanitizing .. parts
• c8cb846 update deps
• 1f0c2c9 7.5.9
• fbb0851 build minified version as default export
• 6b8eba0 7.5.8
• 2cb1120 fix(unpack): improve UnpackSync symlink error "into" path accuracy
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.